Your SlideShare is downloading. ×
0
Server Side Request Forgery - ssrf
Server Side Request Forgery - ssrf
Server Side Request Forgery - ssrf
Server Side Request Forgery - ssrf
Server Side Request Forgery - ssrf
Server Side Request Forgery - ssrf
Server Side Request Forgery - ssrf
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Server Side Request Forgery - ssrf

3,032

Published on

Server-Side Request Forgery - SSRF

Server-Side Request Forgery - SSRF

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,032
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. • Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker has the ability to create requests from the vulnerable server. • Creates requests from the vulnerable server to intranet/internet. • SSRF usually attacks targets on the internal systems that are located behind a firewall and normally inaccessible from the outside world. • With SSRF it's possible to access these systems.
  • 2. • Using a protocol supported by available URI schemas, you can communicate with services running on other protocols. • By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. • The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://).
  • 3. • Basically Packet A Packet B – Attacker sends Packet A to Service A – Service A sends Packet B to service B – Services can be on same or different hosts – Possible to manipulate some fields of packet B within packet A – Different SRF attacks depend on how many fields can be controlled
  • 4. • Smuggling Requests using services running to communicate. • With SSRF it's also possible to access services from the same server that is listening on the loopback interface.
  • 5. • The difference between various SSRF attacks depends on how much value of packet B we can control with packet A. So there are 4main types of SSRF attacks: • –Trusted SSRF : When we can send requests (Packet B) to remote services but only to those which are somehow predefined • –Remote SSRF : When we can send requests (Packet B) to any remote IP and port. This type has 3 subtypes depending on how much data we can control – Simple Remote SSRF: No control on application level of Packet B – Partial Remote SSRF : Control on some fields of application level of Packet B – Full Remote SSRF : Full control on application level of Pack SSRF Types
  • 6. • cURL - extensive support of URL schemas other than HTTP/HTTPS. • If the vulnerable server is using cURL to make HTTP requests, it's possible to use the dict URL schema to make requests to any host on any port and send custom data. • The URL dict://locahost:11211/stat will cause the server to connect to localhost on port 11211 and send the string "stat". • Port 11211 is the default port used by Memcached which is not accessible from outside. • With this URL it's possible to connect to the local Memcached server and issue various commands. • • Normally, Also, Memcached doesn't support any type of authentication and therefore the attacker can issue any type of command. SSRF Cheat Sheet

×